Researchers, vendors, ISPs attack 'Net attackers

Some of the best Internet minds in the world met last week to discuss a wide range of methods to rid the Web of malicious traffic.

The Usenix invitation-only workshop, called Steps to Reducing Unwanted Traffic on the Internet (SRUTI), brought together more than 50 academics from all over the world as well as technical staff from equipment vendors and ISPs to develop methods to cut down on spam, viruses, worms and distributed denial-of-service (DDoS) attacks - methods that are practical at an operational level.

Participants exposed fresh ideas to expert criticism, sometimes resulting in helpful suggestions and sometimes pointing out significant problems.

One promising proposal would help wipe out the bulk of DDoS attacks near their sources, but not those attacks in which the aggressor machines use spoofed IP addresses. Even though the proposal wouldn't block all attacks, it was still considered feasible because it would mitigate the bulk of DDoS exploits that rely on networks of unspoofed zombie machines - botnets - to fire off the attacks.

On the flip side, another presentation advanced a relatively simple method of encrypting e-mail that would also authenticate the sender and receiver. But this was pretty much shot down when one attendee pointed out that encrypting e-mail would render useless spam filters that search content and subject lines for key words. "You have just proposed an excellent tool for spammers," he said. The author didn't have an answer for that.

Practicality seemed the watchword for the day. The author of the presentation on blocking DDoS attacks said there have been proposals that would be extremely effective if there were separate IP address spaces for servers and clients. "This has real possibilities if only we were redesigning the Internet from scratch," said Mark Handley, a researcher from University College London in the U.K.

Instead, Handley's proposal would introduce devices near Internet servers and at the edge routers of ISPs to mark and monitor traffic to the servers. When a DDoS attack was detected, these devices would shut down at the edge router traffic from addresses identified as the source of the attack. These devices could effectively reduce DDoS traffic within a single ISP's network, Handley said. This enforcement could be extended to other ISPs and block attacks even closer to the source if the ISPs involved could develop enough trust to share knowledge about their networks, he said.

While DDoS drew much attention, SRUTI presenters also focused much of their time on spam, which accounts for the vast majority of e-mail crossing the Internet.

Dealing with spam

One researcher described a way to analyze the senders and recipients of e-mail in conjunction with a traditional spam filter to boost the overall effectiveness of spam protection. The algorithm reduces the amount of good e-mail that is identified as spam by about 20 percent, according to Jussara Almeida, a researcher at Universidade Federal de Minas Gerais in Brazil. "This is important since the cost of false positives is usually believed higher than the cost of false negatives," she said.

The study by her team divided senders and recipients into groups based on who routinely receives legitimate e-mail from whom. The memberships of these groups - essentially contact lists - are more stable than criteria used for other screening methods such as looking for keywords, Almeida said. Spammers can change the words selected for spam to duck keyword filters, but establishing themselves as members of trusted groups is more difficult, she said.

The algorithm weighs the probability that any message sent from a certain group of senders to a specific group of recipients is spam. It is effective at sorting a certain percentage as definitely spam and definitely not spam, with a gray area in between. The researchers are working to tweak the algorithm to reduce the size of the gray area, she said.

A similar method of sorting IP voice-mail spam - spam over IP telephony, or SPIT - also relies on senders and receivers. This is key in filtering SPIT because the point is to get rid of the unwanted messages without having to waste time listening to them, which would be required if the content were examined. "You don't have to look at content to get a pretty good idea of what is going on," said Steve Bellovin, a professor at Columbia University and a moderator at SRUTI. "This has been useful in the intelligence community for years."

Researchers from University of North Texas, Denton, have come up with a voice spam detection server they say can identify a spitter after just three calls to users in a group, such as a corporation. The server analyzes where calls are from and whether those sources are likely to be spam based on the experience users have had with calls from the same source, said Ram Dantu, a researcher at the university.

Other ideas floated at the workshop ranged from setting up honeypots to lure in spammers and then tie up their resources, to simulating network congestion to see how suspicious traffic streams respond as a way to determine whether a person is behind the session or a zombie machine sending automated responses. In aggregate the 13 papers presented last week represent a springboard for producing a faster Internet, said Dina Katabi, co-chairman of the workshop. "I think the talks have proposed promising solutions that address important problems," she said.

Join the PC World newsletter!

Error: Please check your email address.

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Tim Greene

Network World (US online)
Show Comments

Most Popular Reviews

Latest News Articles


PCW Evaluation Team

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?